Site Navigation

Date:      Wed, 03 Sep 2008 09:25:12 -0400
From:      Jon Radel <jon@radel.com>
To:        Guido van Rooij <guido@gvr.org>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: keeping state on outgoing connections fails (?)
Message-ID:  <48BE9038.8020303@radel.com>
In-Reply-To: <20080903125407.GA27232@gvr.gvr.org>
References:  <20080903110943.GA25396@gvr.gvr.org> <48BE864C.6000006@radel.com> <20080903125407.GA27232@gvr.gvr.org>

---

next in thread | previous in thread | raw e-mail | index | archive | help

---

[-- Attachment #1 --]
Guido van Rooij wrote:
> On Wed, Sep 03, 2008 at 08:42:52AM -0400, Jon Radel wrote:
>> Guido van Rooij wrote:
>>> Setup: FreeBSD 6.3 system with 2 interfaces: ep0 and bge0.
>>>
>>> ep0: 1.2.3.4/24
>>> bge0: 10.0.0.1/24
>>>
>>> ruleset (made as simple as possible):
>>> pass in quick on ep0 inet from 1.2.3.1 to 10.0.0.2
>>> block drop out log quick on ep0 all
>>> pass out quick on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2 keep state
>>>
>>> When I telnet from 1.2.3.1 to 10.0.0.2, the packet comes in via ep0
>>> and passes because of rule 1.
>>> Then the packet goes out via bge0, is passed via rule 3 and a satte entry is
>>> created.
>>>
>>> The return SYN/ACK comes in via bge0 and passes because of the state entry.
>>>
>>> Then the packet should be sent out via ep0, but it is blocked, as pflogd shows:
>> And does the problem go away when you put a "keep state" at the end of
>> line 1?
>>
> 
> I don't know. Due to the nature of the setup, that is not an option (like
> I posted in the original mail, this is a very simplistic ruleset; the
> real life situation will be a 5-interface setup with a lot more
> complexity. Being able to set state on outgoing packets is crucial).
> 
> I did test the folowing ruleset:
> pass in quick on ep0 inet from 1.2.3.1 to 10.0.0.2 keep state
> block drop out log quick on ep0 all
> pass out quick on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2
> 
> And there it works, but doesn't solve my problem unfrotunately.

And why doesn't it solve your problem?

You really are going to have to either keep state on ep0 or allow
everything that's legal in "pass out on ep0" statements.

For example:

block all
pass in on ep0 inet from 1.2.3.1 to 10.0.0.2
pass out on ep0 inet from 10.0.0.2 to 1.2.3.1
pass out on bge0 inet proto tcp from 1.2.3.1 to 10.0.0.2 keep state

--Jon Radel

[-- Attachment #2 --]
0�	*�H��

��0�

10	+0�	*�H��


��	10��0�\�
m����t�������v0
	*�H��


0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
080324165921Z
090324165921Z0^10URadel10U*
Jon Thomas10UJon Thomas Radel10	*�H��

	

jon@radel.com0�
"0
	*�H��



�
0�

�

�t,P���p�#�
٬q�_�2�=�L����-^m�>�z3�����ʟV�!��[(�[ A���o������E��}ϛ�3/��6�?񥃮�c��W�x(/��)'�$6�s�T�l<*�i��'��=���uox�Mbt�
���r�dtn��x��ud���1�R6����T����>z�U0���FZ,v�N�9�NP{�>q�E�`^���P;	�*Wg/jN*O�V�ՠ��Q����M���B�(�=����:����
�

�*0(0U0�
jon@radel.com0U

�00
	*�H��


����h�!o�ܨ��[�А!f�N#[�Z�
�b$3?�x&��$�~Ħ9�}`�MX[It}�/�b�XZa����jgx���ɥ��' �2N
��rt�WA�r �sFި��'���^@mDVw\��)����0��0�\�
m����t�������v0
	*�H��


0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
080324165921Z
090324165921Z0^10URadel10U*
Jon Thomas10UJon Thomas Radel10	*�H��

	

jon@radel.com0�
"0
	*�H��



�
0�

�

�t,P���p�#�
٬q�_�2�=�L����-^m�>�z3�����ʟV�!��[(�[ A���o������E��}ϛ�3/��6�?񥃮�c��W�x(/��)'�$6�s�T�l<*�i��'��=���uox�Mbt�
���r�dtn��x��ud���1�R6����T����>z�U0���FZ,v�N�9�NP{�>q�E�`^���P;	�*Wg/jN*O�V�ՠ��Q����M���B�(�=����:����
�

�*0(0U0�
jon@radel.com0U

�00
	*�H��


����h�!o�ܨ��[�А!f�N#[�Z�
�b$3?�x&��$�~Ħ9�}`�MX[It}�/�b�XZa����jgx���ɥ��' �2N
��rt�WA�r �sFި��'���^@mDVw\��)����0�?0���


0
	*�H��


0��10	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*�H��

	
personal-freemail@thawte.com0
030717000000Z
130716235959Z0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0��0
	*�H��



��0����Ħ<UsU�N�ʙZh�up��������[�v�:a�Q�
��P
0�cZ,�p����+�Z�?qV˯<���6$*�+��w=�+��>�@�dק���e��*T�H���<a@dr`��

���0��0U

�0

�
0CU<0:08�6�4�2http://crl.thawte.com/ThawtePersonalFreemailCA.crl0U
0)U"0 �010UPrivateLabel2-1380
	*�H��


��H��P��.�
�f�g�����C���L!��6�-�6/��P �p<���ab��:~�����t�%P�b��'qW%�ݩ�9�� Oe_�������N���4�[5Mw�V!x��!5�$��F�]_eO1�d0�`

0v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAm����t�������v0	+��
�0	*�H��

	1	*�H��


0	*�H��

	1
080903132512Z0#	*�H��

	1̻�¯W�$��+��ES+L_0R	*�H��

	1E0C0
*�H��
0*�H��
�0
*�H��

@0+0
*�H��

(0��	+

�71x0v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAm����t�������v0��*�H��

	1x�v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAm����t�������v0
	*�H��



�
�-�Z�s�����,@�7Gv�w���(7�G��*�|f�Ȣ�ѥ/�h<NY�i✺�/��=m��X%��
D��1�R�l���㺊����8�b�Q�`L�µh����!������ 6v|��4FlM�S���@=:����j�?ۓ�W5���`�j	}f�Ď� ��ܼH�
E
��V�7��qJx�h�$��/fQz���«��2��>�1p̄��hDj�f}Н39K����雚�[?%�����

---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48BE9038.8020303>

Legal Notices | © 1995-2025 The FreeBSD Project. All rights reserved.

Contact